Considerations on COM(2021)421 - Authority for Anti-Money Laundering and Countering the Financing of Terrorism - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2021)421 - Authority for Anti-Money Laundering and Countering the Financing of Terrorism. |
|---|---|
| document | COM(2021)421  |
| date | May 31, 2024 |
| (2) | The cross-border nature of crime and criminal proceeds endangers the efforts of the Union financial system with regard to the prevention of money laundering and financing of terrorism. It is necessary to enhance those efforts at Union level through the creation of an authority responsible for contributing to the implementation of harmonised rules in that domain. In addition, such an authority should pursue a harmonised approach to strengthen the Union’s existing preventive AML/CFT framework and specifically AML/CFT supervision and cooperation between Financial Intelligence Units (FIUs). That approach is intended to reduce divergences in national legislation and supervisory practices and introduce structures that benefit the smooth functioning of the internal market in a determined manner and should, consequently, be based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). |
| (3) | Therefore, a Union authority for anti-money laundering and countering the financing of terrorism (‘the Authority’) should be established. The creation of the Authority is crucial for ensuring the efficient and adequate supervision of obliged entities that pose a high risk with regard to money laundering/terrorist financing (‘ML/TF’), strengthening common supervisory approaches for all other obliged entities, and facilitating joint analyses and cooperation between FIUs. |
| (4) | This Regulation is part of a comprehensive package that aims to strengthen the Union’s AML/CFT framework. Together, this Regulation, Regulation (EU) 2023/1113 of the European Parliament and of the Council (3), Regulation (EU) 2024/1624 of the European Parliament and of the Council (4) and Directive (EU) 2024/1640 of the European Parliament and of the Council (5) will form the legal framework governing the AML/CFT requirements to be met by obliged entities and underpinning the Union’s AML/CFT institutional framework. |
| (5) | To bring AML/CFT supervision to an efficient and uniform level across the Union, it is necessary to provide the Authority with the following powers: direct supervision of a certain number of selected obliged entities in the financial sector, including crypto-asset service providers; monitoring, analysis and exchange of information concerning ML/TF risks affecting the internal market; coordination and oversight of AML/CFT supervisors of the financial sector; coordination and oversight of AML/CFT supervisors of the non-financial sector, including self-regulatory bodies; and the coordination and support of FIUs. |
| (6) | Combining both direct and indirect supervisory competences in relation to obliged entities, and also providing a support and coordination mechanism for FIUs, is the most appropriate means of bringing about AML/CFT supervision and cooperation between FIUs at Union level. It is therefore necessary that the Authority combines independence and a high level of technical expertise and is established in line with the Joint Statement and Common Approach of the European Parliament, the Council of the European Union and the European Commission of 19 July 2012 on decentralised agencies. |
| (7) | The arrangements concerning the seat of the Authority should be laid down in a headquarters agreement between the Authority and the Member State where its seat is located. The headquarters agreement should stipulate the conditions of establishment of the seat and the advantages conferred by that Member State on the Authority and its staff. The headquarters agreement should be concluded in a timely manner before the Authority begins its operations. |
| (8) | When selecting the seat of the Authority, the European Parliament and the Council are to ensure that, given the nature of the Authority, its location enables it to fully execute its tasks and powers, to recruit highly qualified and specialised staff, to offer adequate training opportunities for AML/CFT activities, and, where relevant, to closely cooperate with Union institutions, bodies, offices and agencies; and, in order to avoid reputational risks, the European Parliament and the Council are to consider, based on publicly available, relevant and comparable information, such as reports of the Financial Action Task Force (FATF), how ML/TF risks are adequately addressed in the Member State where the seat will be located. In addition, the European Parliament and the Council are to take into account the following criteria for the selection of the Authority’s seat: an assurance that the Authority can be set up on site upon the entry into force of this Regulation; the accessibility of the location; the existence of adequate education facilities for the children of staff members; appropriate access to the labour market, social security and medical care for both children and spouses of staff members; and geographical balance. Considering those criteria, the Authority should have its seat in Frankfurt am Main, Germany. |
| (9) | The powers of the Authority aim to allow it to improve AML/CFT supervision in the Union in various ways. With respect to selected obliged entities, the Authority should ensure group-wide compliance with the requirements laid down in the AML/CFT framework and any other legally binding Union acts that impose AML/CFT-related obligations on financial institutions. With respect to financial supervisors, the Authority should in particular carry out periodic reviews to ensure that all financial supervisors perform their tasks adequately. It should also investigate systematic failures of supervision resulting from breaches, or the non-application or incorrect application, of Union law. With respect to non-financial supervisors, including self-regulatory bodies where appropriate, the Authority should coordinate peer reviews of supervisory standards and practices and request non-financial supervisors to ensure the observance of AML/CFT requirements in their sphere of competence. The Authority should be able to act in cases of potential breaches or non-application of Union law by non-financial supervisors and, where such breaches are not rectified in line with the Authority’s recommendations, it should issue warnings to the affected counterparties of the non-financial supervisors. The Authority should facilitate the functioning of the AML/CFT supervisory colleges in both the financial and non-financial sectors. Overall, the Authority should contribute to the convergence of supervisory practices and the promotion of high supervisory standards. In addition, the Authority should coordinate and support the conduct of joint analyses by FIUs, or request the launch of joint analyses, and should make IT and artificial intelligence services available to FIUs to enhance their data analysis capabilities, as well as tools for secure information sharing, including through the hosting of FIU.net, the dedicated IT system allowing FIUs to cooperate and exchange information with each other and, where appropriate, with their counterparts from third countries and third parties. |
| (10) | With a view to strengthening AML/CFT rules at Union level, enhancing the clarity of those rules while ensuring consistency with international standards and other legislation, and increasing the efficiency of the implementation of AML/CFT measures, including in the non-financial sector, it is necessary to establish the coordinating role of the Authority at Union level in relation to obliged entities in both the financial and the non-financial sectors for the purposes of assisting national supervisors and promoting supervisory convergence. Consequently, the Authority should be mandated to prepare draft regulatory and implementing technical standards and to adopt guidelines, recommendations and opinions with the aim of ensuring that, where supervision remains at national level, the same supervisory practices and standards apply in principle to all comparable entities. In addition, the Authority should be tasked with monitoring and measuring the degree of convergence and the consistent application of legal requirements and high supervisory standards by supervisory authorities and obliged entities. The Authority should be entrusted, due to its highly specialised expertise, with the development of a supervisory methodology in line with a risk-based approach. Certain aspects of the methodology, which can incorporate harmonised quantitative benchmarks, such as approaches for classifying the risk profile of obliged entities, including their inherent and residual risk profiles, should be detailed in directly applicable binding regulatory measures — regulatory or implementing technical standards — taking into account ML/TF risks in prudential supervision, in order to ensure effective interaction between AML/CFT supervision and prudential supervision. Other aspects of the methodology, which require wider supervisory discretion, such as approaches to assessing the internal controls of obliged entities, should be covered by non-binding guidelines, recommendations and opinions of the Authority. The harmonised supervisory methodology should take due account of and, where appropriate, leverage existing supervisory methodologies relating to other aspects of supervision of obliged entities in the financial sector, especially where there is interaction between AML/CFT supervision and prudential supervision. More specifically, the supervisory methodology to be developed by the Authority should complement the guidelines and other instruments developed by the European Supervisory Authority (European Banking Authority) (EBA) established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council (6) detailing the approaches of prudential supervisory authorities with respect to taking into account ML/TF risks in prudential supervision, in order to ensure effective interaction between AML/CFT supervision and prudential supervision. A harmonised supervisory methodology would also enable the development of common supervisory tools for interactions with, and data requests from, obliged entities across the entire supervisory system. The Authority should be able to coordinate the development of such tools in the form of structured questionnaires, based online or offline, and integrated into a single platform for interaction with obliged entities and among supervisors within the system. Such a platform would not only facilitate supervisory processes and harmonised supervisory approaches, but also avoid duplicative reporting requirements and the imposition of an excessive burden on obliged entities under supervision whether at Union or at national level. |
| (11) | The extension of money laundering’s predicate offences to include the non-implementation and evasion of targeted financial sanctions requires the development of an understanding of threats and vulnerabilities in that area at the level of obliged entities, supervisors and the Union. In carrying out its supervisory tasks in relation to selected obliged entities, the Authority should therefore ensure that those entities have in place adequate systems to implement requirements related to targeted financial sanctions. Similarly, given its central role in ensuring an effective supervisory system across the internal market, the Authority should support supervisory convergence in that area to ensure adequate oversight of the compliance of credit institutions and financial institutions with requirements related to the implementation of targeted financial sanctions. The information collected through the Authority’s supervisory and convergence tasks constitutes a resource for the Union’s understanding of risks in relation to the non-implementation and evasion of targeted financial sanctions, and can contribute to the identification of effective mitigating measures. To that end, the Authority should contribute its experience and knowledge to the development of a risk assessment at Union level in relation to the non-implementation and evasion of targeted financial sanctions. |
| (12) | The Authority should be entrusted with the development of draft regulatory technical standards in order to complete the harmonised rulebook established in Regulation (EU) 2023/1113, Regulation (EU) 2024/1624 and Directive (EU) 2024/1640. The Commission should be empowered to endorse draft regulatory technical standards by means of delegated acts pursuant to Article 290 TFEU in order to give them binding legal effect. |
| (13) | The Authority should be entrusted with the development of draft implementing technical standards where needed to ensure uniform conditions for the implementation of this Regulation. The Commission should be empowered to adopt implementing technical standards by means of implementing acts pursuant to Article 291 TFEU. |
| (14) | The draft regulatory and implementing technical standards should be subject to amendment only in very restricted and extraordinary circumstances, since the Authority is the actor in closest contact with, and with the best knowledge of, the AML/CFT framework. To ensure a smooth and expeditious adoption process for those standards, the Commission’s decision to endorse draft regulatory and implementing technical standards should be subject to a time limit. |
| (15) | In the process of developing draft regulatory and implementing technical standards and guidelines and recommendations addressed to obliged entities, supervisors or FIUs, the Authority should as a rule conduct open public consultations, unless those consultations and analyses are highly disproportionate to the scope and impact of the measures concerned or to the particular urgency of the matter. The public consultations should be conducted in order to analyse the potential related costs and benefits of the new measures and the requirements they are introducing, and in order to make sure that all stakeholders, including other Union bodies whose area of competence might be concerned, have had a chance to provide their input and advice. As the role of civil society, including academia, investigative journalists, and non-governmental organisations, has proven paramount over the years in identifying criminal patterns and how the Union AML/CFT framework can be strengthened to prevent criminal misuse of the internal market, the Authority should pay particular attention to the input provided by civil society. It should ensure appropriate engagement of civil society and active solicitations of its views during its policy-making process. |
| (16) | Since there are no sufficiently effective arrangements to handle AML/CFT incidents involving cross-border aspects, it is necessary to put in place an integrated AML/CFT supervisory system at Union level that ensures consistent high-quality application of the AML/CFT supervisory methodology and promotes efficient cooperation between all relevant competent authorities. For those reasons, the Authority and the national AML/CFT supervisory authorities should together constitute an AML/CFT supervisory system. The AML/CFT supervisory system should be based on mutual trust and cooperation in good faith, including exchanges of information and data related to supervision, in order to enable the Authority and supervisory authorities to carry out their tasks effectively. The AML/CFT supervisory system would benefit supervisory authorities when faced with specific challenges, for example vis-à-vis an enhanced ML/TF risk or due to a lack of resources, as within that system mutual assistance should be available on request. That mutual assistance could also involve exchange and secondments of personnel, training activities and exchanges of best practices. Furthermore, the Commission could provide technical support to Member States under Regulation (EU) 2021/240 of the European Parliament and of the Council (7) to promote reforms aimed at reinforcement of the fight against money laundering. |
| (17) | Given the important role played by thematic reviews in AML/CFT supervision across the Union, since they enable the level of exposure to risks in relation to obliged entities under supervision to be identified and compared, and given that, at present, supervisors in different Member States do not benefit from those reviews, it is necessary that the Authority identifies national thematic reviews that have a similar scope and timeframe and ensures their coordination at Union level. To avoid situations of possibly conflicting communications with supervised entities, the coordination role of the Authority should be limited to interaction with the relevant supervisory authorities, and should not include any direct interaction with non-selected obliged entities. For the same reason, the Authority should explore the possibility of aligning or synchronising the timeframe of national thematic reviews and facilitate any activities that the relevant supervisory authorities might wish to carry out, whether jointly or otherwise. |
| (18) | Efficient usage of data leads to better monitoring and compliance of obliged entities. Therefore, both direct and indirect supervision by the Authority and supervisory authorities of all obliged entities across the AML/CFT supervisory system should rely on expeditious access to relevant data and information about the obliged entities themselves and the supervisory actions and measures taken regarding them, subject to limited retention periods in accordance with the applicable data protection framework. To that end, and taking into account the confidential and sensitive nature of the information, the Authority should establish a central AML/CFT database with information collected from all supervisory authorities, and should make such information available to any supervisory authority and non-AML/CFT authority within the system where necessary, on a confidential and need-to-know basis. The collected data should also cover the relevant aspects of the withdrawal of authorisation procedures and ‘fit and proper’ assessments of shareholders or members of the management body of individual obliged entities as that would enable supervisory authorities and non-AML/CFT authorities to duly consider possible shortcomings of specific entities and individuals that might have materialised in other Member States. The database should also include statistical information about supervisory authorities and FIUs. All collected data and information would enable effective oversight by the Authority of the proper functioning and effectiveness of the AML/CFT supervisory system. The information from the database would enable the Authority to react in a timely manner to potential weaknesses and cases of non-compliance by non-selected obliged entities. In order to ensure that the database contains all relevant information that is available across the AML/CFT supervisory system, supervisory authorities should have the flexibility to submit other categories of data in addition to those directly envisaged by this Regulation. In the same vein, the Authority, while managing the database and analysing the submitted data, would be best placed to identify which additional data points or categories of data could be requested from supervisory authorities to boost the effectiveness of the database. To assist in compiling, storing and using a coherent and structured dataset, it is necessary to further specify the format, procedures, timelines and other details regarding the scope and nature of the data to be transmitted to the database. For that purpose, the Authority should develop draft regulatory technical standards and submit them to the Commission. The specifications provided for in the regulatory technical standards would determine the appropriate level of detail for specific categories of information expected to be transmitted with respect to the various types of supervisory activities or categories of obliged entities. The data collected with regard to obliged entities in the non-financial sector should consider the principle of proportionality and the mandate of the Authority in the non-financial sector. In addition, considering that the Authority would introduce oversight at Union level in the non-financial sector for the first time, and that Directive (EU) 2024/1640 requires adjustments in the national institutional framework for supervision which need to be transposed, it is necessary to envisage a sufficient period to prepare the integration into the database of the information from supervisory authorities in the non-financial sector. Specifically, non-financial sector data should be submitted to the database by four years from the date of entry into force of this Regulation, which is one year after the deadline for transposition of Directive (EU) 2024/1640. However, supervisory authorities in the non-financial sector should be able to submit those data on a voluntary basis before that date. The personal data processed in the context of the database should be retained for a period of up to 10 years after the date of their collection by the Authority. Such a retention period is strictly necessary and proportionate for the purpose of supervisory activities carried out by the Authority and supervisory authorities. The length of the data retention period also ensures that the Authority and supervisory authorities retain access to the necessary information on the risk assessment, business activities, controls placed on and breaches by individual obliged entities in order to carry out their duties, which requires them to access case-related information over a longer period of time. Such a retention period is notably necessary since supervisory authorities should take into account, among other factors, the gravity, duration and repetitiveness of the breach to determine the level of sanctions or measures to be applied, which requires case-related information to be analysed over a longer period of reference. Similarly, such a retention period is also necessary with regard to information resulting from ‘fit and proper’ assessments of shareholders or members of the management body in order to ensure that supervisory authorities have sufficient information to assess whether they are of good repute, act with honesty and integrity, and possess the knowledge and expertise necessary to carry out their functions, and to ensure ongoing monitoring of those conditions as required by Directive (EU) 2024/1640. Personal data should be deleted where it is no longer necessary to keep them. In view of the purpose of the database and the use of the information contained therein by the various participants of the AML/CFT supervisory system, it should not contain any data covered by legal privilege. |
| (19) | With the objective of ensuring a more effective and less fragmented protection of the Union’s financial framework, a limited number of the riskiest obliged entities should be directly supervised by the Authority. As ML/TF risks are not proportional to the size of the supervised entities, other criteria should be applied to identify the riskiest entities. In particular, two categories should be considered: high-risk cross-border credit institutions and financial institutions with activity in a significant number of Member States, selected periodically; and, in exceptional cases, any entity whose material breaches of applicable requirements are not sufficiently or in a timely manner addressed by its national supervisor. In such exceptional cases, either the Authority or the financial supervisors should be able to request a transfer of supervision from national to Union level, with a proper justification. Where such requests for transfer are submitted by the Authority, they should be examined by the Commission and either approved or rejected by means of an official decision, taking into account the justification submitted. Where such requests for transfer are submitted by the financial supervisors to the Authority and involve the voluntary delegation of tasks and powers, it should be for the Authority to decide on the necessity of the transfer, and assume direct supervision of the obliged entity or group in question where it finds that the Union’s interests and the integrity of the AML/CFT system so require. All entities in respect of which the Authority would be exercising direct supervisory powers fall under the category of ‘selected obliged entities’. |
| (20) | The first category of credit institutions and financial institutions, or groups of credit institutions and financial institutions, should be assessed every three years, based on a combination of objective criteria related to their cross-border presence and activity and criteria related to their ML/TF risk profile. Only credit institutions or financial institutions, or groups of credit institutions or financial institutions, which are present in a significant number of Member States, regardless of whether they operate through establishments or under the freedom to provide services in Member States, and for which supervision at Union level would therefore be more adequate, should be included in the selection process. |
| (21) | The periodic assessment of the risk profile of credit institutions and financial institutions for the purpose of selection for direct supervision should rely on data to be provided by the financial supervisors or, in respect of already selected obliged entities, by the Authority. In addition, the Authority should ensure the harmonised application of the methodology by financial supervisors and coordinate the assessment of the risk profile of entities at group-wide level. An implementing technical standard should specify the respective roles of the Authority and the financial supervisors in the assessment process. The Authority should ensure alignment, where appropriate, between the methodology for the assessment of the risk profile for the purpose of selection pursuant to this Regulation, and the methodology for harmonising the assessment of the inherent and residual risk profiles of obliged entities at national level to be developed in the regulatory technical standards adopted pursuant to Article 40(2) of Directive (EU) 2024/1640. |
| (22) | Given the existing wide diversity of approaches adopted by national authorities to the evaluation of the residual risk profile of obliged entities, the process of regulatory development of a refined and detailed harmonised methodology allowing for the assessment of residual risk with comparable outcomes is evolving and should be begun on the basis of the work carried out by the EBA as soon as possible. Therefore, the methodology for the categorisation of residual risk to be adopted for the first identification of selected obliged entities should aim to be more straightforward and to harmonise the different approaches applied at national level. The Authority should review its methodology every three years, taking into account the evolution of relevant knowledge. |
| (23) | The final selection criterion should ensure a level playing field among directly supervised obliged entities and, to that end, no discretion should be left to the Authority or supervisory authorities in deciding on the list of obliged entities that are to be subject to direct supervision. Therefore, where a given assessed obliged entity operates cross-border and falls within the high risk category pursuant to the harmonised methodology, it should be deemed to qualify as a selected obliged entity. |
| (24) | To provide transparency and clarity to the relevant institutions, the Authority should publish a list of the selected obliged entities within six months of the commencement of a selection period, after verifying that the information provided by the financial supervisors corresponds to the cross-border activities criteria and to the risk profile methodology. Therefore it is important that at the beginning of each selection period, the relevant financial supervisors and, if necessary, the obliged entities themselves, provide the Authority with up-to-date statistical information to determine the list of financial institutions eligible for assessment in accordance with the assessment entry criteria relating to their cross-border operations. In that context, the financial supervisors should inform the Authority of the risk profile category that a financial institution falls into in their jurisdictions pursuant to the methodology laid down in the regulatory technical standards. The Authority should then commence direct supervision of the selected obliged entities six months after the publication of the list. That time is needed to appropriately prepare the transfer of supervisory tasks from national to Union level, including the formation of a joint supervisory team and the adoption of any relevant working arrangements with the relevant financial supervisors. |
| (25) | To ensure legal certainty and a level playing field among selected obliged entities, any selected obliged entity should remain under the direct supervision of the Authority for at least three years, even if, after the moment of selection and in the course of those three years, the selected obliged entity ceases to meet any of the cross-border activity or risk-related criteria due to, for example, a potential ceasing, consolidation, expansion or re-allocation of activities carried out through establishments or under the freedom to provide services. The Authority should also ensure that sufficient time is allocated to the preparation by the selected obliged entities and their supervisory authorities for the transfer of supervision from national to Union level. Therefore, each subsequent selection should commence 12 months before the expiry of the three-year period of supervision of the previously selected obliged entities. |
| (26) | The Authority should supervise obliged entities in the financial sector having a high risk profile where such entities operate in at least six Member States whether through establishments or under the freedom to provide services within the Union. In such cases, supervision at Union level by the Authority would bring significant added value compared to fragmented supervision between home and host Member States by eliminating the need for national supervisors of home and host Member States to coordinate and align the measures taken with regard to various parts of the same group. In order to ensure the homogeneous supervision of groups and a more granular analysis of the risk of the cross-border entities assessed, the assessment of the ML/TF risk of obliged entities which are part of a group should always be done at the level of the group, resulting in a single group-wide risk score to be considered for the purposes of the selection. The entire group should then be considered as the selected obliged entity. While the exact number of entities that could meet the risk and cross-border activities criteria for direct supervision varies and depends on their business model and money-laundering risk profile at the moment of the assessment, it is necessary to ensure an optimal, progressive and dynamic repartition of competences between the Union and national authorities in the first phase of the existence of the Authority. To ensure a sufficient number and adequate range of types of high-risk groups and entities that are supervised at Union level, the Authority should have sufficient resources to simultaneously supervise up to 40 groups and entities, at least during the first selection process. In the event that more than 40 entities would qualify for direct supervision based on their high risk profile, the Authority should select from among them the 40 entities operating, whether through establishments or under the freedom to provide services, in the highest number of Member States. In the event that that criterion is not sufficient to be able to select 40 entities, in particular where several obliged entities operate in the same number of Member States — for example, entities number 39, 40 and 41 all operate in the same number of Member States — the Authority should be able to distinguish among them and should select those that have the highest ratio of volume of transactions with third countries to their total volume of transactions. In subsequent selection processes, and building on the experience with supervision acquired during the first selection process, it would be beneficial for the number of entities under its supervision to increase also for the Authority to ensure complete coverage of the internal market under its supervision. To that end, in the event that more than 40 entities would qualify for direct supervision based on their high risk profile, the Authority should be able to, in consultation with the supervisory authorities, agree to supervise a specific different number of entities or groups that is greater than 40. In deciding on that specific number, the Authority should take into account its own resources in terms of its capacity to allocate or additionally hire the necessary number of supervisory and support staff and should ensure that the increase in the financial and human resources is feasible. At the same time, complete coverage of the internal market could be ensured by supervising at least one entity per Member State. In the Member States where no entities are identified following the regular selection process, the risk methodology designed for the selection process, including the criteria for choosing between several entities with a high risk profile, should be applied in order to select one entity. |
| (27) | The relevant actors involved in the application of the AML/CFT framework should cooperate with each other in accordance with the duty of sincere cooperation enshrined in the Treaties. In order to ensure that the AML/CFT supervisory system composed of the Authority and supervisory authorities functions as an integrated mechanism, and that jurisdiction-specific risks and local supervisory expertise are duly taken into account and well utilised, direct supervision of selected obliged entities should take place in the form of joint supervisory teams and, where appropriate, dedicated on-site inspection teams. Those teams should be led by a staff member of the Authority coordinating all supervisory activities of the team (‘JST coordinator’). The JST coordinator and other staff members of the Authority allocated to the joint supervisory team should be based at the seat of the Authority but should be able to carry out their day-to-day tasks and supervisory activities in any Member State where the selected obliged entity has its operations. To that end, the financial supervisors should assist in ensuring smooth and flexible working arrangements for all joint supervisory team members. The Authority should be in charge of the establishment and composition of the joint supervisory team, and the local supervisors involved in the supervision of the entity should ensure that a sufficient number of their staff members is appointed to the team, taking into account the risk profile of the selected obliged entity in their jurisdiction, as well as its overall volume of activity. Each supervisor involved in the supervision of a group should appoint a member to the joint supervisory team. However, in cases where the risk of the obliged entity’s activities is low in a particular Member State, the financial supervisor in that Member State should be able to choose, in agreement with the JST coordinator, not to appoint a member to the joint supervisory team. Where no member is appointed to the joint supervisory team, the relevant financial supervisor should still have a contact point for any joint supervisory team matters and responsibilities. |
| (28) | To ensure that the Authority can fulfil its supervisory obligations in an efficient manner with regard to selected obliged entities, the Authority should be able to obtain any internal documents and information necessary for the exercise of its tasks and for that purpose have the general investigation powers afforded to all supervisory authorities under national administrative law. To that end, the Authority should be able to address information requests to the selected obliged entity, to natural persons employed by it, to legal persons belonging to it and to parties contracted by it, such as: the obliged entity itself or any legal person within the obliged entity; employees of the obliged entity and persons in comparable positions, including agents and distributors; external contractors; and third parties to whom a selected obliged entity has outsourced its activities. |
| (29) | The Authority should have the power to require actions, internal to an entity, to enhance the compliance of obliged entities with the AML/CFT framework, including reinforcement of internal procedures and changes in the governance structure, going as far as removal of members of the management body, without prejudice to the powers of other relevant supervisory authorities of the same selected obliged entity. Following findings related to non-compliance or partial compliance with applicable requirements by the selected obliged entity, it should be able to impose specific measures or procedures for particular clients or categories of clients who pose high ML/TF risks. On-site inspections should be a regular feature of such supervision and could be performed by dedicated teams. If a specific type of on-site inspection, for instance with respect to a natural person where the business premises are the same as the person’s private residence, requires authorisation by the national judicial authority, such authorisation should be applied for by the Authority. |
| (30) | The Authority should have a full range of supervisory powers in relation to directly supervised entities in order to ensure compliance with applicable requirements. Those powers should apply in cases where the selected obliged entity does not meet its requirements, in cases where certain requirements are not likely to be met, as well as in cases where internal procedures and controls are not appropriate to ensure sound management of selected obliged entity’s ML/TF risks. The exercise of those powers could be done by means of binding decisions addressed to individual selected obliged entities. |
| (31) | In addition to supervisory powers to apply administrative measures, and in order to ensure compliance, in any cases of breaches of directly applicable requirements, the Authority should be able to impose pecuniary sanctions on the selected obliged entities. For serious, repeated or systematic breaches, the Authority should always apply pecuniary sanctions. Such sanctions should be proportionate and dissuasive, should have both punitive and deterrent effect, and should comply with the principle of ne bis in idem. The maximum amounts of pecuniary sanctions should be in line with those established by Directive (EU) 2024/1640 and available to all supervisory authorities across the Union. The basic amounts of those sanctions should be determined within the limits established by the AML/CFT framework, taking into account the nature of the requirements that have been breached. In order for the Authority to adequately take aggravating or mitigating factors into account, adjustments to the relevant basic amount should be possible. With the objective of achieving a timely end to the damaging business practice, the Executive Board of the Authority should be empowered to impose periodic penalty payments to compel the relevant legal or natural person to cease the relevant conduct. With the aim of heightening awareness of all obliged entities, by encouraging them to adopt business practices in line with the AML/CFT framework, the pecuniary sanctions and periodic penalty payments should be disclosed. The disclosure regime for administrative measures as well as the pecuniary sanctions and periodic penalty payments imposed by the Authority and detailed in this Regulation should be closely aligned with that at national level, as provided by Directive (EU) 2024/1640. The Court of Justice should have jurisdiction to review the legality of decisions adopted by the Authority, the Council and the Commission, in accordance with Article 263 TFEU, as well as to determine their non-contractual liability. |
| (32) | It is important that the authorities in charge of overseeing the implementation of targeted financial sanctions at national level are informed in a timely manner of any violation of such obligation by selected obliged entities. To that end, the Authority should be able to share such information with the financial supervisor in the relevant Member State and instruct it to convey such information to the national authority responsible for overseeing the implementation of those sanctions. |
| (33) | For non-selected obliged entities, the AML/CFT supervision is to remain primarily at national level, with national competent authorities retaining full responsibility and accountability for direct supervision. The Authority should be granted adequate indirect supervisory powers to ensure that supervisory actions at national level are consistent and of a high quality across the Union. Therefore, it should carry out assessments of the state of supervisory convergence and publish reports with its findings. It should be empowered to adopt follow-up measures in the form of guidelines and recommendations, including individual recommendations addressed to financial supervisors as a result of the assessment, with a view to ensuring harmonised and high-level supervisory practices across the Union. Individual recommendations could contain suggestions of specific follow-up measures and the financial supervisor should make every effort to comply with those measures. Where a financial supervisor does not implement the follow-up measures, the Authority should take the adequate and necessary steps in accordance with this Regulation. |
| (34) | The Authority should also be able to settle disagreements between financial supervisors concerning the measures to be taken in relation to a non-selected obliged entity in the financial sector. In order to ensure constructive cooperation, the Authority should in the first instance attempt to resolve the disagreement through a conciliation phase with a set time limit. In the event that the conciliation phase does not achieve the desired results, the Authority should be able to adopt a binding decision requiring those supervisors to take specific action or to refrain from certain action, in order to settle the matter and to ensure compliance with Union law. |
| (35) | For the purposes of safeguarding the proper functioning and effectiveness of the AML/CFT supervisory system, the Authority should be able to identify and act in cases of systematic failures of supervision caused by breaches of Union law resulting from the non-application or improper application of national measures transposing Union directives. To that end, and without prejudice to the powers of the Commission to launch an infringement procedure pursuant to the TFEU, the Authority should be able to investigate such possible breaches. Where the Authority has established a breach, after informing the supervisor concerned and, where appropriate, giving other financial supervisors the opportunity to provide information on the matter, the Authority should be able, if it considers it appropriate, to issue a recommendation to the supervisor in question, outlining the measures to be taken to rectify the breach. Where the shortcomings identified have not been remedied, the Commission should also be able to issue an opinion requiring the supervisor to comply with the recommendation issued by the Authority. |
| (36) | Certain obliged entities in the financial sector that do not meet the requirements of the regular selection process might nonetheless have a high inherent or residual risk profile from the ML/TF perspective, or might take on, change or expand activities that entail high risk, not mitigated by a commensurate level of internal controls, thus leading to serious, repeated or systematic breaches of AML/CFT requirements. If there are indications of possible serious, repeated or systematic breaches of applicable AML/CFT requirements, they might be a sign of gross negligence on the part of the obliged entity. The supervisory authority should be able to adequately respond to any possible breaches and prevent the risks from materialising and leading to gross negligence in the application of AML/CFT requirements. However, in certain cases, a national level response might not be sufficient or timely, especially when there are indications that serious, repeated or systematic breaches at the level of the entity have already occurred. In those cases, the Authority should request the local supervisor to take specific measures to remedy the situation, including requesting the local supervisor to issue financial sanctions or other coercive measures. To prevent ML/TF risks from materialising, the deadline for action at national level should be sufficiently short. |
| (37) | The Authority should be notified where the situation of a non-selected obliged entity with regard to its compliance with applicable requirements and its exposure to ML/TF risks deteriorates rapidly and significantly, especially where such deterioration could result in significant harm to the reputation of several Member States or of the Union as a whole. |
| (38) | The Authority should have the opportunity to request a transfer of supervisory tasks and powers relating to a specific obliged entity on its own initiative in the case of inaction, or failure or inability to follow its instructions within the provided deadline. Since the transfer of tasks and powers relating to an obliged entity without a specific request addressed to the Authority by the financial supervisor would require a discretionary decision on the part of the Authority, the Authority should address a specific request to that end to the Commission. In order for the Commission to be able to take a decision coherent with the framework of the tasks allocated to the Authority within the AML/CFT framework, the request of the Authority should enclose an appropriate justification, and should specify the duration of the reallocation of tasks and powers to the Authority. The timeframe for the reallocation of powers should correspond to the time the Authority requires to deal with the risks at entity level, and should not exceed three years. The Authority should be able to request a prolongation of that timeframe where the breaches identified have not been fully addressed. That prolongation should be limited to what is necessary to address those breaches and not exceed three years. The Commission should adopt a decision transferring powers and tasks for supervising the entity to the Authority swiftly, and in any case without undue delay. That decision should be communicated to the European Parliament and to the Council. |
| (39) | In order to improve supervisory practices in the non-financial sector, the Authority should carry out peer reviews of non-financial supervisors, which should also include peer reviews of public authorities overseeing self-regulatory bodies. To that end, the Authority should develop the methodological framework for such reviews, including rules to avoid conflicts of interest in the conduct of peer reviews and in the drawing up of findings and regarding the consideration to be given to evaluations by international organisations and intergovernmental bodies with competence in the field of ML/TF prevention, when deciding on the planning of peer reviews and on their content. With a view to fostering convergence of supervisory practices, the Authority should publish reports with findings from those peer reviews, including shortcomings and good practices identified. Those reports could be accompanied by guidelines or recommendations addressed to the relevant public authorities, including public authorities overseeing self-regulatory bodies. Self-regulatory bodies should be able to participate in peer reviews where they have expressed an interest in doing so. |
| (40) | With the objective of increasing the efficiency of the implementation of AML/CFT measures also in the non-financial sector, the Authority should also be able to investigate possible breaches or incorrect application of Union law by supervisors in that sector as well as by public authorities overseeing self-regulatory bodies. Where the Authority establishes that a breach exists, it should be able to issue a recommendation vis-à-vis the non-financial supervisor or supervisory authority concerned specifying the measures to be taken to rectify it. Where no appropriate action has been taken in response to that recommendation, the Authority should also be able to issue a warning to the relevant counterparties of the supervisory authority or non-financial supervisor. The powers of the Authority to issue such recommendations and warnings are without prejudice to the powers of the Commission to launch infringement procedures against Member States where it detects a situation of non-implementation or poor implementation of Union law, in accordance with the powers conferred on it under the Treaties. |
| (41) | The Authority should also be able to settle disagreements between non-financial supervisors concerning the measures to be taken in relation to an obliged entity in the non-financial sector. In order to ensure constructive cooperation, the Authority should attempt to resolve disagreements through a conciliation phase with a set time limit. At the end of the conciliation phase, the Authority should issue an opinion on how to settle the disagreement. |
| (42) | In light of the cross-border nature of ML/TF, effective and efficient cooperation, information exchange and coordinated action between FIUs are of crucial importance. In order to improve such coordination and cooperation, the Authority should be entrusted with tasks and powers enabling the Authority and FIUs to jointly constitute a support and coordination mechanism for FIUs. To that end, the Authority should have sufficient human, financial and IT resources, which should, where necessary, be organisationally separated from the staff carrying out the tasks relating to the Authority’s supervisory activities. The success of the support and coordination mechanism for FIUs depends on the Authority and FIUs cooperating in good faith and exchanging all relevant information required to fulfil their respective tasks. In the case of a disagreement between FIUs in relation to cooperation and the exchange of information, the Authority should be informed accordingly and should be able to act as a mediator between the relevant FIUs. |
| (43) | In order to analyse suspicious activity affecting multiple jurisdictions, FIUs that received linked reports should be able to efficiently conduct joint analyses of cases of common interest. To that end, the Authority should be able to propose, initiate, coordinate and support with all appropriate means joint analyses of cross-border suspicious transactions or activities. A joint analysis should be triggered where there is a need for one pursuant to the relevant provisions of Union law and in accordance with the methods and criteria for the selection and prioritisation of cases relevant for the conduct of joint analyses developed by the Authority. FIUs should make every effort to accept the Authority’s invitation to take part in a joint analysis. An FIU that declines to take part in a joint analysis should explain the reasons for its refusal to the Authority. Where relevant, those reasons should be provided to the FIU that identified the need to carry out the joint analysis. Upon the express consent of the FIUs participating in the joint analysis, the staff of the Authority supporting the conduct of the joint analysis should be granted access to all necessary data and information, including data and information pertaining to the subject matter of the case. |
| (44) | The Authority should be able to request FIUs to initiate a joint analysis under specific circumstances, including where information has been brought to the attention of the Authority by whistleblowers or investigative journalists or where the joint analysis of complex and cross-border cases would add value. FIUs that have been requested to participate in a joint analysis should respond to the Authority without delay indicating whether they are willing to participate in the joint analysis and, if they are not willing to participate, providing their reasons therefor. |
| (45) | Identifying, at an early stage, links with information held by other Union bodies, offices and agencies and by relevant third parties is critical to ensure that the most relevant cross-border cases, including those requiring extensive operational analysis, are selected. In that respect, and subject to the consent of all FIUs that have indicated their willingness to take part in a joint analysis, the staff of the Authority should be authorised to cross-match, on a hit/no-hit basis, the data of those FIUs with the information made available by other FIUs and Union bodies, offices and agencies, including Europol. The Authority should ensure that the most advanced state-of-the-art technology available, including privacy-enhancing technologies, is used for the purposes of cross-matching information on a hit/no-hit basis. The match functionality of the FIU.net system is an example of a solution which allows an FIU to establish in real time whether a subject whose data is pseudonymised is already known by the FIU of another country or by a Union body, office or agency, which avoids the unnecessary processing of personal data. In the case of a hit, the Authority should share the information that generated a hit with the FIUs involved in the joint analysis. In those circumstances, the Authority should also share the information that triggered the hit with Union bodies, offices and agencies, subject to the prior consent of the FIU providing the information. |
| (46) | In order to ensure that the process for establishing a joint analysis is fast and efficient, the Authority should be responsible for the establishment and composition of the joint analysis team and its coordination. |
| (47) | Effective operational cooperation in cross-border cases between the Authority and other relevant Union bodies, offices and agencies is of crucial importance. In order to ensure that, where relevant, the results of joint analyses of cross-border cases are followed up effectively, the Authority should report the results of joint analyses to the European Public Prosecutor’s Office (EPPO) or transmit them to the European Anti-Fraud Office (OLAF) where the results of a joint analysis indicate that a criminal offence, in respect of which the EPPO or OLAF could exercise their competences, may have been committed. Furthermore, subject to the agreement of all FIUs participating in a joint analysis, the Authority should also be able to transmit the results of that joint analysis to Europol and Eurojust where the results of that joint analysis indicate that a criminal offence may have been committed in respect of which Europol and Eurojust could exercise their competences. The Authority should be able to exchange strategic information, such as typologies and risk indicators, with the EPPO, OLAF, Europol and Eurojust. |
| (48) | Pursuant to Article 24 of Council Regulation (EU) 2017/1939 (8), the Authority is to report without undue delay to the EPPO any criminal conduct in respect of which it could exercise its competence in accordance with Article 22 and Article 25(2) and (3) of that Regulation. Pursuant to Article 8 of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (9), the Authority is to transmit to OLAF without delay any information relating to possible cases of fraud, corruption or any other illegal activity affecting the financial interests of the Union. In accordance with the applicable provisions of the legal instruments governing them, the EPPO and OLAF should inform the Authority of the steps taken in relation to the information provided and any relevant outcomes. |
| (49) | In order to improve the effectiveness of joint analyses, the Authority should be able to establish methods and procedures for the conduct of joint analyses. Based on the feedback provided by the FIUs involved in joint analyses, the Authority should be able to review their conduct, in order to identify the lessons learnt. Such reviews should enable the Authority to issue follow-up reports and conclusions to be shared with all FIUs, without disclosing confidential or restricted information, with the aim of further refining and improving the methods and procedures for the conduct of joint analyses, ultimately improving and promoting the analyses themselves. |
| (50) | In order to facilitate and improve cooperation between FIUs and the Authority, including for the purposes of conducting joint analyses, FIUs should delegate one or more staff members per FIU to the Authority (‘national FIU delegates’’). The national FIU delegates should support the staff of the Authority in carrying out all the tasks relating to FIUs, including the conduct of joint analyses and the preparation of threat assessments and strategic analyses of ML/TF threats, risks and methods. While remaining under the authority of their delegating FIU, FIU delegates should be operationally independent and autonomous when carrying out their tasks and duties under this Regulation. They should not seek nor take instructions from Union institutions, bodies, offices or agencies, or from governments or other public or private bodies. Their tasks and duties should be without prejudice to the security and confidentiality rules of FIUs. |
| (51) | Other than joint analyses, the Authority should encourage and facilitate various forms of mutual assistance between FIUs, including training and staff exchanges in order to improve capacity building and enable the exchange of knowledge and good practices amongst FIUs. The Authority’s role in supporting FIUs in their activities grants it a unique position to facilitate access by FIUs to databases and tools that are instrumental to improve the quality of financial intelligence. The Authority should use its position to negotiate, on behalf of all FIUs, contracts with providers of those tools and databases, as well as relevant training for its staff and the staff of FIUs. The Authority should also have a mediation role in the event of disagreements between FIUs. To that end, FIUs should be able to refer disagreements related to cooperation, including the exchange of information between FIUs, to the Authority for mediation in the event that they fail to solve those disagreements by means of direct contact and dialogue. |
| (52) | The Authority should manage, host and maintain FIU.net. The Authority should keep the system up-to-date, taking into account the needs expressed by FIUs. To that end, the Authority should ensure that at all times the most advanced state-of-the-art technology available is used for the development of FIU.net, subject to a cost-benefit analysis. As the Authority should rely on third-party service providers only for non-essential tasks, it should not outsource the hosting and management of FIU.net. The Authority should not have access to the content of the information exchanged within FIU.net, except where it is an intended recipient of such information. In order to be able to send, receive and cross-match information, the Authority should be provided with an operational node in the FIU.net system. |
| (53) | In order to establish consistent, efficient and effective supervisory and FIU-related practices and ensure the common, uniform and coherent application of Union law, the Authority should be able to issue guidelines and recommendations addressed to all, or a category of, obliged entities and all, or a category of, supervisory authorities and FIUs. The guidelines and recommendations could be issued pursuant to a specific empowerment in the applicable Union acts, or on the own initiative of the Authority, where there is a need to strengthen the AML/CFT framework at Union level. |
| (54) | To provide optimal assistance to FIUs and thereby increase the effectiveness of the support and coordination mechanism for FIUs, the Authority and FIUs should be able to strengthen the effectiveness of FIU activities, identifying and promoting best practices. Peer reviews would be the best instrument to allow for an objective assessment of such activities and practices, and therefore the Authority should be tasked with organising such peer reviews, based on methods and rules of procedure for the conduct of such reviews, to be developed centrally by the Authority. To be useful, peer reviews should be comprehensive and cover all relevant aspects of the tasks of FIUs set out in Chapter III of Directive (EU) 2024/1640. Therefore, they should cover, inter alia, the adequacy of FIUs’ resources, the measures implemented to ensure FIUs’ operational independence and autonomy, the measures put in place to protect the security and confidentiality of the information processed by FIUs, the functions related to receipt of suspicious transaction reports, the functions related to the operational and strategic analyses of FIUs and their dissemination, and domestic and cross-border cooperation arrangements and practices of FIUs. The peer reviews could result in the issuance by the Authority of guidelines and recommendations aimed at promoting any identified best practices and addressing any shortcomings. |
| (55) | The establishment of a solid governance structure within the Authority is essential for ensuring the effective exercise of the tasks granted to the Authority, and for an efficient and objective decision-making process. Due to the complexity and variety of the tasks conferred on the Authority in both the supervision and FIU areas, the decisions cannot be taken by a single governing body, as is often the case in decentralised agencies. Whereas certain types of decisions, such as decisions on the adoption of common instruments, need to be taken by representatives of the appropriate authorities or FIUs and respect the voting rules of the TFEU, certain other decisions, such as the decisions in relation to individual selected obliged entities or individual authorities, require a smaller decision-making body, whose members should be subject to appropriate accountability arrangements. Therefore, the Authority should have a General Board and an Executive Board. |
| (56) | In order to ensure the relevant expertise, the General Board should have two compositions. For all decisions on the adoption of acts of general application such as draft regulatory and implementing technical standards, guidelines, recommendations, and opinions relating to FIUs, it should be composed of the heads of FIUs of Member States (‘General Board in FIU composition’). For the same types of acts relating to the direct or indirect supervision of financial and non-financial obliged entities, it should be composed of the heads of AML/CFT supervisors that are public authorities (‘General Board in supervisory composition’). All parties represented in the General Board should make efforts to limit the turnover of their representatives, in order to ensure continuity of the Board’s work. All parties should aim to achieve a gender balanced representation on the General Board. |
| (57) | For a smooth decision-making process, the tasks should be clearly divided: the General Board in FIU composition should decide on draft regulatory and implementing technical standards, guidelines and similar measures for FIUs, while the General Board in supervisory composition should decide on draft regulatory and implementing technical standards, guidelines and similar measures for obliged entities. The General Board in supervisory composition should also be able to provide, in accordance with procedures to be defined in agreement with the Executive Board, its opinion to the Executive Board on all draft decisions in relation to individual selected obliged entities proposed by the Joint Supervisory Teams. In the absence of such an opinion, the decisions should be taken by the Executive Board. Whenever the Executive Board deviates in its final decision from the opinion provided by the General Board in supervisory composition, it should explain the reasons therefor in writing. |
| (58) | For the purposes of voting and taking decisions, each Member State should have one voting representative. Therefore, the heads of the supervisory authorities of obliged entities in each Member State should appoint a permanent representative as the voting member of the General Board in supervisory composition. Alternatively, depending on the subject matter of the decision or agenda of a given General Board meeting, the supervisory authorities of a Member State should be able to appoint an ad hoc representative. The practical arrangements related to decision-making and voting by the General Board members in supervisory composition should be laid down in the rules of procedure of the General Board, to be developed by the Authority. |
| (59) | In order for the General Board in FIU composition to get assistance in the preparation of all relevant decisions under its mandate, it should be supported by a standing committee with a more limited composition. The standing committee should support the work of the General Board in FIU composition and perform its duties solely in the interest of the Union as a whole. It should work in close cooperation with FIU delegates and the staff of the Authority in charge of tasks related to FIUs, and in full transparency vis-à-vis the General Board in FIU composition. |
| (60) | The Chair of the Authority should chair the General Board meetings and have a right to vote when decisions are taken by simple majority unless otherwise provided for by this Regulation. The Commission should be a non-voting member on the General Board. To establish good cooperation with other relevant institutions, the General Board should also be able to admit other non-voting observers — in particular representatives nominated by the Supervisory Board of the European Central Bank (ECB) and of each of the three European Supervisory Authorities, namely, the EBA, the European Supervisory Authority (European Insurance and Occupational Pensions Authority — EIOPA), established by Regulation (EU) No 1094/2010 of the European Parliament and of the Council (10), and the European Supervisory Authority (European Securities and Markets Authority — ESMA), established by Regulation (EU) No 1095/2010 of the European Parliament and of the Council (11) (collectively, ‘the ESAs’) for the General Board in supervisory composition and OLAF, Europol, Eurojust and the EPPO for the General Board in FIU composition — where matters that fall under their respective mandates are discussed or decided upon. To ensure that relevant Union institutions, bodies, offices and agencies are invited to the meetings where their presence would be required or beneficial, the rules of procedure of the General Board should clearly define the circumstances under which those Union institutions, bodies, offices and agencies, as well as other observers, should be able to be admitted to the meetings. When drafting the relevant parts of the rules of procedure, the Authority should agree with those Union institutions, bodies, offices and agencies on the terms and conditions of their participation. Such an agreement is presumed where the terms and conditions for participation are already included in the bilateral working arrangements or memoranda of understanding mandated by this Regulation. To allow a smooth decision-making process, decisions of the General Board should be taken by simple majority, except for decisions concerning draft regulatory and implementing technical standards, guidelines and recommendations, which should be taken by a qualified majority of Member State representatives in accordance with the voting rules of the Treaties. |
| (61) | The governing body of the Authority should be the Executive Board, composed of the Chair of the Authority and of five full-time members, including the Vice-Chair, and appointed by the European Parliament and the Council upon a proposal of the General Board based on the shortlist of qualified candidates drawn up by the Commission. With the aim of ensuring a speedy and efficient decision-making process, the Executive Board should be in charge of the planning and execution of all tasks of the Authority except where specific decisions are expressly allocated to the General Board. In order to ensure the objectivity and appropriate rapidity of the decision-making process in the area of direct supervision of selected obliged entities, the Executive Board should take all binding decisions addressed to selected obliged entities. The representatives of the financial supervisors where the entity is established should be able to attend the deliberations of the Executive Board. In addition, together with a representative of the Commission, the Executive Board should be collectively responsible for the administrative and budgetary decisions of the Authority. |
| (62) | To allow for swift decisions, all decisions of the Executive Board, including decisions where the Commission has a right to vote, should be taken by simple majority, with the Chair of the Authority holding a casting vote in the event of a tied vote. To ensure sound financial management of the Authority, with respect to decisions where the Commission has a right to vote and the Executive Board deviates from the opinion of the Commission, the Executive Board should be able to provide a thorough justification for such deviation. |
| (63) | To ensure the independent functioning of the Authority, the five full-time members of the Executive Board and the Chair of the Authority should act independently and in the interest of the Union as a whole. They should behave, both during and after their term of office, with integrity and discretion as regards the acceptance of certain appointments or benefits. To avoid giving the impression that members of the Executive Board of the Authority might use their position as members of the Executive Board to obtain a high-ranking appointment in the private sector after their term of office, and to prevent any post-public employment conflicts of interests, a cooling-off period for the five full-time members of the Executive Board as well as for the Chair of the Authority, should be introduced. |
| (64) | The Chair of the Authority should be appointed on the basis of objective criteria by the Council after approval by the European Parliament. Both the European Parliament and the General Board should be able to conduct hearings of the candidates for the position of Chair of the Authority, shortlisted by the Commission. In order to ensure an informed choice of the best candidate by the European Parliament and the Council and a high degree of transparency in the appointment process, the General Board should be able to issue a public opinion on the results of its hearings, or transmit its opinion to the European Parliament, the Council and the Commission. The Chair should represent the Authority externally and should report on the execution of the Authority’s tasks. |
| (65) | The Executive Director of the Authority should be appointed by the Executive Board based on a shortlist drawn up by the Commission. To enable an optimal choice, the shortlist should comprise at least two candidates, selected by the Commission based on the grounds of merit and documented high-level administrative, budgetary and management skills, to be demonstrated by the shortlisted candidates during an open selection procedure. The Executive Director of the Authority should be a senior administrative staff member of the Authority, in charge of the day-to-day management of the Authority, and responsible for budget administration, procurement, and recruitment and staffing. |
| (66) | Equality between women and men and diversity are fundamental values of the Union, which it promotes across the whole range of Union actions. While progress has been made in those areas over time, more is needed in order to achieve balanced representation in decision-making, whether at Union or national level. The Authority’s main governing body, the Executive Board, should be collegial and should be composed of the Chair of the Authority and five other independent members, while the day-to-day management should be entrusted to an Executive Director. All those persons should be selected on the basis of an open selection procedure primarily guided by individual merit-based criteria. At the same time, it is intended that the appointments collectively result in the Authority being collegially steered by a group with sufficiently diverse expertise and background and gender-balanced representation. Considering that the Commission is tasked with the preparation of the shortlists of candidates for the positions of Chair of the Authority, member of the Executive Board and Executive Director, it should be guided by an imperative to consider the collective outcome of the appointments. Specifically, the shortlisted candidates should enable the appropriate appointing authorities to make appointments that ultimately enable sufficient diversity and gender balance among top management of the Authority. |
| (67) | To protect effectively the rights of parties concerned, for reasons of procedural economy, and to reduce the burden on the Court of Justice of the European Union, the Authority should provide natural and legal persons with the possibility of requesting a review of decisions taken under the direct supervision powers conferred on the Authority by this Regulation and addressed to them, or which are of direct and individual concern to them. The independence and objectivity of the opinions given by the Administrative Board of Review should be, among others, ensured by its composition of five independent and suitably qualified persons. |
| (68) | It is necessary to provide the Authority with the requisite human and financial resources so that it can fulfil the objectives, tasks and responsibilities assigned to it under this Regulation. To guarantee the proper functioning of the Authority, funding should be provided, depending on the tasks and functions, by a combination of fees levied on certain obliged entities and a contribution from the Union budget. To ensure that the Authority can fulfil its tasks as direct or indirect supervisor of obliged entities, an adequate mechanism for the determination and collection of fees should be introduced. As regards the fees levied on selected obliged entities and certain non-selected obliged entities, the methodology for their calculation and the process of collection of fees should be developed in a delegated act of the Commission. The fees levied on certain obliged entities should be calculated according to the principle of proportionality and taking into account, in particular, whether the obliged entities have qualified for direct supervision, their risk profile and their turnover. The methodology should be calibrated in such a way as to ensure that a lower risk profile results in a smaller fee contribution relative to the size of the entity. The contribution from the Union budget is to be decided by the budgetary authority of the Union through the budgetary procedure. To that end, the Authority should submit to the Commission a statement of estimates. It should also adopt financial rules after consulting the Commission. |
| (69) | The rules on establishment and implementation of the budget of the Authority, as well as the presentation of the annual accounts of the Authority, should follow the provisions of Commission Delegated Regulation (EU) 2019/715 (12) as regards cooperation with the EPPO and the effectiveness of OLAF’s investigations. |
| (70) | In order to prevent and combat effectively internal fraud, corruption or any other illegal activity within the Authority, it should be subject to Regulation (EU, Euratom) No 883/2013 as regards cooperation with the EPPO and the effectiveness of OLAF investigations. The Authority should accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-fraud Office (OLAF) (13), which should be able to carry out on-the-spot checks within the area of its competence. |
| (71) | As stated in the Communication of the Commission of 7 February 2013 entitled ‘Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace’, it is essential to ensure a high level of cyber resilience in all Union institutions, bodies, offices and agencies due to the increasingly hostile threat environment. The Executive Director should thus ensure appropriate IT risk management, a strong internal IT governance and sufficient IT security funding. As a rule, at least 10 % of the Authority’s IT expenditure should be transparently allocated to direct IT security. The contribution to the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) could be counted in that minimum expenditure requirement. The Authority should work closely with CERT-EU and report major incidents within 24 hours to CERT-EU as well as to the Commission. |
| (72) | The Authority should be accountable to both the European Parliament and the Council for the execution of its tasks and the implementation of this Regulation. The Authority should submit a report in that respect to the European Parliament, to the Council and to the Commission on an annual basis. |
| (73) | The staff of the Authority should be composed of temporary agents, contractual agents and seconded national experts, including the national delegates placed at the disposition of the Authority by FIUs but that remain under the authority of their delegating FIU. The Authority, in agreement with the Commission, should adopt the relevant implementing measures in accordance with the arrangements provided for in Article 110 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (14) (the ‘Staff Regulations’). |
| (74) | To ensure that confidential information is treated as such, all members of the governing bodies of the Authority, all staff of the Authority, including seconded staff and staff placed at the disposition of the Authority, as well as any persons carrying out tasks for the Authority on a contractual basis, should be subject to the obligation of professional secrecy, including any confidentiality restrictions and obligations stemming from the relevant provisions of Union law, and related to the specific tasks of the Authority. However, confidentiality and professional secrecy obligations should not prevent the Authority from cooperating with, exchanging or disclosing information to other relevant Union or national authorities or bodies, where it is necessary for the performance of their respective tasks and where such cooperation and exchange of information obligations are envisaged in Union law. |
| (75) | Without prejudice to the confidentiality obligations that apply to the staff of the Authority and its representatives in accordance with the relevant provisions of Union law, the Authority should be subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council (15). In line with the confidentiality and professional secrecy restrictions related to supervisory tasks and to FIU support and coordination tasks of the Authority, public access to documents of the European Parliament, Council and Commission provided for in that Regulation should not be extended to confidential information handled by the staff of the Authority. In particular, any operational data, or information related to such operational data, of the Authority and of the FIUs that is handled by the staff of the Authority as a result of carrying out the tasks and activities related to support and coordination of FIUs should be deemed confidential. With regard to supervisory tasks, access to information or data of the Authority, of the financial supervisors, or of the obliged entities obtained as a result of carrying out the tasks and activities related to direct supervision should in principle also be treated as confidential and not subject to disclosure. However, confidential information that relates to a supervisory procedure should be able to be fully or partially disclosed to the obliged entities which are parties to that supervisory procedure, subject to the legitimate interest of other persons in the protection of their business secrets. |
| (76) | Without prejudice to any specific language arrangements that might be adopted within the AML/CFT supervisory system and with selected obliged entities, Council Regulation No 1 (16) should apply to the Authority and any translation services which might be required for the functioning of the Authority, other than interpretation, should be provided by the Translation Centre for the Bodies of the European Union. |
| (77) | Without prejudice to the obligations of Member States and their authorities, the processing of personal data on the basis of this Regulation for the purposes of the prevention of ML/TF should be considered necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority under Article 5 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (17) and Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council (18). Regulation (EU) 2018/1725 requires the Commission to consult the European Data Protection Supervisor when preparing delegated or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data. That might be the case for the regulatory and implementing technical standards to be developed by the Authority. In order to ensure a smooth process for the preparation and adoption of those acts, where the Authority considers that there is an added value in consulting the European Data Protection Supervisor already at the stage of the development of those acts, it should inform the Commission thereof and obtain its authorisation to proceed with the consultation. |
| (78) | Reporting of irregularities by employees of obliged entities or groups can provide the Authority with critical information on the overall level of compliance by credit institutions and financial institutions across the Union with AML/CFT requirements. Similarly, reporting by employees of supervisory authorities, self-regulatory bodies performing supervisory functions and FIUs can assist the Authority in its role of ensuring high-quality supervision and supporting the development of effective financial intelligence across the internal market. However, those employees need to have sufficient assurances that their reports will be treated with a high level of confidentiality and that their personal data will not be disclosed under any circumstances. To that end, the Authority should have in place measures to maintain the confidentiality of reports of irregularities. In establishing its internal rules for the handling of reports concerning possible breaches of AML/CFT rules, the Authority should ensure that reports by employees of selected obliged entities are prioritised and may set out procedures to deal with repetitive reports, high inflows of reports and situations where reports are submitted, which concern breaches that fall outside the Authority’s mandate. In addition, persons reporting breaches relating to AML/CFT to the Authority should qualify for the protection provided under Directive (EU) 2019/1937 of the European Parliament and of the Council (19), provided that the conditions established therein are fulfilled. |
| (79) | The Authority should establish cooperative relations with the relevant Union bodies, offices and agencies, including Europol, Eurojust, the EPPO and the ESAs. To improve cross-sectoral supervision and promote better cooperation between prudential and AML/CFT supervisors, the Authority should also establish cooperative relations with the authorities competent for prudential supervision of obliged entities in the financial sector, including the ECB with regard to matters relating to the tasks conferred on it by Council Regulation (EU) No 1024/2013 (20), as well as with resolution authorities as defined in Article 3 of Directive 2014/59/EU of the European Parliament and the Council (21), designated authorities as defined in Article 2(1), point (18), of Directive 2014/49/EU of the European Parliament and the Council (22) and competent authorities as defined in Article 3(1), point (35), of Regulation (EU) 2023/1114 of the European Parliament and of the Council (23). To that end, the Authority should be able to conclude agreements or memoranda of understanding with such bodies, including with regard to any information exchange which is necessary for the fulfilment of the respective tasks of the Authority and those bodies. The Authority should make best efforts to share information with such bodies on their request, within the limits posed by legal constraints, including data protection legislation. In addition, the Authority should enable effective information exchange between all financial supervisors in the AML/CFT supervisory system and the aforementioned authorities and such cooperation and information exchanges should take place in a structured and efficient way. |
| (80) | Partnerships for information sharing have become increasingly important cooperation and information exchange fora between competent authorities and obliged entities in some Member States. Given the Authority’s mandate in preventing and detecting money laundering, its predicate offences and terrorist financing, it should be possible for the Authority to set up a partnership for information sharing in order to pursue that goal. Information exchanged within the scope of a partnership for information sharing should be consistent with the scope of the Authority’s mandate. Where the Authority would act as direct supervisor of selected obliged entities or in support to FIUs which are part of a partnership for information sharing in any Member State, it could be beneficial for the Authority to also participate therein, under the conditions determined by the relevant national public authority or authorities that set up such partnership for information sharing and with their express agreement. |
| (81) | Considering that cooperation between supervisory, administrative and law enforcement authorities is crucial in order to successfully combat ML/TF, and certain Union authorities and bodies have specific tasks or mandates in that area, the Authority should ensure that it is able to cooperate with such authorities and bodies, in particular OLAF, Europol, Eurojust, and the EPPO. If there is a need to establish specific working arrangements or conclude memoranda of understanding between the Authority and those authorities and bodies, the Authority should be able to do so. The arrangements should be of a strategic and technical nature, should not imply the sharing of any confidential or operational information in possession of the Authority and should account for tasks already carried out by the other Union institutions, bodies, offices or agencies as regards the prevention of and fight against ML/TF. |
| (82) | Since predicate offences as well as the crime of money laundering itself often are of a global nature, and given that Union obliged entities also operate with and in third countries, effective cooperation with all relevant third-country authorities in the areas of both supervision and functioning of FIUs are crucial for strengthening the Union AML/CFT framework. Given the Authority’s unique combination of direct and indirect supervision and FIU cooperation-related tasks and powers, it should be able to take an active role in such external cooperation arrangements. Specifically, the Authority should be empowered to develop contacts and enter into administrative arrangements with authorities in third countries that have regulatory, supervisory and FIU-related competences. The Authority’s role could be particularly beneficial in cases where the interaction of several Union public authorities and FIUs with third-country authorities concerns matters within the scope of the Authority’s tasks. In such cases, the Authority should have a leading role in facilitating that interaction. |
| (83) | Given its tasks and powers in the field of AML/CFT, the Authority is well placed to support the action of the Commission in international fora, including the FATF, with a view to promoting a united, common, consistent and effective representation of the Union’s interests in such fora. Therefore, the Authority should assist the Commission in its activities as member of the FATF, and contribute to the representation of the Union and the defence of its interests in international fora. In view of the importance of the mutual evaluations carried out by the FATF and the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism of the Council of Europe — MONEYVAL, and where those evaluations concern Member States, the staff of the Authority should make themselves available and cooperate with the assessment teams responsible for carrying out the evaluations, where needed. |
| (84) | Since it is intended that the Authority has a full range of powers and tasks related to direct and indirect supervision and oversight of all obliged entities, it is necessary that those powers remain consolidated within one Union body and do not give rise to conflicting competences with other Union bodies. Therefore, the EBA should not retain its tasks and powers related to AML/CFT once this Regulation becomes fully applicable, and the corresponding articles in Regulation (EU) No 1093/2010 should be deleted. The resources allocated to the EBA for the fulfilment of those tasks and powers should be transferred to the Authority. Considering that all three ESAs should cooperate with the Authority, and should be able to attend the meetings of the General Board in supervisory composition as observers, the same possibility should be afforded to the Authority in respect of meetings of the Board of Supervisors of the ESAs. In cases where the respective Boards of Supervisors discuss or decide on matters that are relevant for the execution of the Authority’s tasks and powers, the Authority should be able to participate in their meetings as an observer. The articles on the compositions of the Board of Supervisors in Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 should therefore be amended accordingly. |
| (85) | In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the rules of procedure for the exercise of the power to impose pecuniary sanctions or periodic penalty payments, in respect of detailed rules on the limitation periods for the imposition and enforcement of penalties, as well as in respect of the establishment of a methodology for calculating the amount of the fee levied on each selected and non-selected obliged entity subject to fees and the procedure for collecting those fees. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (24). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. |
| (86) | The Authority should assume most of its tasks and powers in accordance with this Regulation by 1 July 2025. Direct supervision of selected obliged entities should commence as of 2028. This should give the Authority sufficient time to establish its headquarter in the Member State as determined by this Regulation. |
| (87) | Since the objectives of this Regulation cannot be sufficiently achieved by the Member States but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives. |
| (88) | The ECB delivered an opinion on 16 February 2022 (25). |
| (89) | The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 22 September 2021 (26), |